Is TokenVerifier#call reentrant?
nevans opened this issue · comments
nicholas a. evans commented
In the railtie, we assign a new token verifier to a global config value:
Omniauth doesn't protect against concurrent calls to this global object (omniauth/strategy.rb):
OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
TokenVerifier#call
sets an ivar on this global object, before calling verified_request?
:
In a multi-threaded app, two threads might update @request
before either thread is able to evaluate verified_request?
. (With fibers, this should be safe... so long as no fiber transfers are triggered by ActionDispatch::Request.new
, verified_request?
, TracePoint, etc.)
What do you think? Am I missing something that would make this safe?